Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Create dynamic search from lookup

rdownie
Communicator
‎06-22-2015 04:57 AM

I would like to be able to take the lookup table defined below and create searches from it.

dsearch.csv

index,source,sourcetype,eventtype
firewall,*,*,*
*,/var/log/syslog,syslog,*
netflow,*,bro,bro_smtp

I tried using inputlookup in a subsearch and passing it back, but doesn't work.

search [|inputlookup dsearch.csv | fields index,source,sourcetype,eventtype | format ]
which would return:
((index=firewall AND source=* AND sourcetype=* AND eventtype=*))

I realize I would probably need a map command to do multiple lines, but I can't get it to read work with just one line.
This would be really powerful in validating data is coming in by defined fields for each datasource (i.e, multiple hosts or log files...).
Any help would be appreciated.

Thanks,
Bob

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-22-2015 05:17 AM

You will need to adjust the format command. This allows you to have multiple conditions for the time period you select. 

* [ |inputlookup dsearch.csv | fileds index source sourcetype eventtype |  format "(" "(" "" ")" "OR" ")"

And the logic from your example is now:

( ( index="firewall" ) OR ( source="/var/log/syslog" sourcetype="syslog" ) OR ( eventtype="bro_smtp" index="netflow" sourcetype="bro" ) )

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-22-2015 05:17 AM

You will need to adjust the format command. This allows you to have multiple conditions for the time period you select. 

* [ |inputlookup dsearch.csv | fileds index source sourcetype eventtype |  format "(" "(" "" ")" "OR" ")"

And the logic from your example is now:

( ( index="firewall" ) OR ( source="/var/log/syslog" sourcetype="syslog" ) OR ( eventtype="bro_smtp" index="netflow" sourcetype="bro" ) )
Reply
Solved! Jump to solution

rdownie
Communicator
‎06-22-2015 05:32 AM

That works for the first line. Now I need to create a new search for each line in the csv. That is a good start.
Thanks,
Bob

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎06-22-2015 05:35 AM

um, no? I took your example as is, so it works for each line in the csv at the SAME time. One search for ALL lines in the CSV. If you want to do something else after the lookup search runs, that is a different question. Please Accept answer as you will.

0 Karma
Reply
Solved! Jump to solution

rdownie
Communicator
‎06-22-2015 05:39 AM

I already accepted the answer. You did exactly what I asked. Thanks,

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎06-22-2015 05:06 AM

Not sure if this is what you want, but have you tried | inputlookup | your search?

0 Karma
Reply
Solved! Jump to solution

rdownie
Communicator
‎06-22-2015 05:13 AM

I have renamed my fields in the lookup and tried using this format:
|inputlookup index_watch2.csv |map search=search earliest=-5m index=$myindex$ AND host=$myhost$

Which also did not work.

0 Karma
Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎06-22-2015 05:15 AM

Oh, I think I just understood what you want. Hm.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...